The 3 bugs that led to the breach of 50 million Facebook accounts

Facebook is reeling under serious data security threats as recently 50 million accounts fell prey for hacking where the profiles were directly accessed. Here’s how it all transpired…

Seems like the dark clouds have refused to budge over from Facebook as the social media giant faces yet another data breach issue. On September 25, around 50 million accounts on Facebook were exposed to a group of hackers who gained access to user profiles directly. The company’s official blog maintained to convey how Facebook took immediate measures to prevent any further losses as soon as the engineers identified the threat.

About the attack and 50 million hacked accounts

While the investigation is still in its early stages, Facebook has assured that the attackers exploited a vulnerability in its code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. For example, if you have a friend, View As enables you to view your account through that person’s eyes and that lets you check exactly what they could see. The View As option can be accessed by following these steps:

Go to your profile and click to the bottom right corner of your cover photo.

Click View As in the drop-down menu.

You’ll see what your profile looks to the public. To see how your profile appears to a specific person, like a friend or coworker, click View as Specific Person, type their name and press enter.

This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

Guy Rosen, VP- Product Management, Facebook informed that the vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account holder themselves. This does mean they could have accessed other third-party apps like Instagram, Spotify, etc that were using Facebook login.

As updated by Facebook’s CEO, Mark Zuckerberg, the first bug was that, when using the View As function to look at your profile as another person would, the video uploader shouldn’t have actually shown up at all. But in a very specific case, on certain types of posts that are encouraging people to post happy birthday greetings, it did show up.

The second bug was that this video uploader incorrectly used the single sign-on functionally, and it generated an access token that had the permissions of the Facebook mobile app. And that’s not the way the single sign-on functionality is intended to be used.

The third bug was that when the video uploader showed up as part of View As — which it wouldn’t do were it not for that first bug — and it generated an access token which is — again, wouldn’t do, except for that second bug — it generated the access token, not for you as the viewer, but for the user that you are looking up. It’s the combination of those three bugs that became a vulnerability. Now, this was discovered by attackers. Those attackers then, in order to run this attack, needed not just to find this vulnerability, but they needed to get an access token and then to pivot on that access token to other accounts and then look up other users in order to get further access tokens.

Facebook in action

Soon after identifying the breach, Facebook officials fixed the vulnerability and informed law enforcement. The company has also reset the access tokens of the almost 50 million accounts we know were affected to protect their security.

Meanwhile, it is undertaking various measures step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people had to log back in to Facebook, or any of their apps that use Facebook Login. After they logged back in, people got notification at the top of their News Feed explaining what happened.

Facebook has also temporarily turned off the “View As” feature while it conducts a thorough security review.

The Impact

This attack exploited the complex interaction of multiple issues in Facebook’s code. It stemmed from a change the company had made to it’s video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

Facebook asserts that people’s privacy and security is incredibly important. Also, people don’t have to change their passwords now. However those having trouble logging back into Facebook — for example, because they’ve forgotten their password — should visit it’s Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the “Security and Login” section in settings. It lists the places people are logged into Facebook with a one-click option to log out of them all.